They do so, acknowledging that neither of them had actually listened to what I said at my keynote. Hence, their blog post is based on certain assumptions of what I said. Regrettably, those assumptions are not borne out in fact.

I very much appreciate a robust debate about the future of how we best protect information privacy. It is far too important a value to not do so. But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value. In the spirit of giving Cavoukian et al.—and the general audience—the opportunity to appreciate what I actually said, here are the facts.

* In her first paragraph, Cavoukian et al. argue that I suggested people had lost interest in privacy protection. I never said anything to that effect. In fact, I said the exact opposite:

“Some may think that this is the end of privacy—some have even said so. But nothing could be further from the truth. Humans on both sides of the Atlantic and across all age groups still value and desire information privacy. We must not and do not need to give up on privacy as a fundamental societal value.”

* In their third paragraph, Cavoukian et al. write that I suggested the “obliteration of Fair Information Practices.” I never said anything like this. Again, on the contrary I argued in my speech that: “In that very sense, then, this next phase in protecting information privacy more effectively could be anchored in the very principles that the founders of European data protection conceived in the 1970s.”

In addition I have taken part in a workshop that produced amended Fair Information Principles for the Big Data age. The resulting whitepaper has been available online since early December and was also available at the IAPP Congress where I spoke. The whitepaper—which like any consensus document reflects many but not all of my views—makes crystal clear the continuing import and need for Fair Information Principles.

* In their fourth paragraph Cavoukian et al. suggest that I argued for “taking away all control of [the public’s] personal information”. That, again, is incorrect. In fact, in my speech I said after explaining that we need more accountability of data users: “This does not imply that data subject’s consent is no longer important.”

This clear sentiment is echoed in the whitepapers—one, already mentioned here, on modern Fair Information Principles, and the other on data user accountability—which make clear that individual consent will continue to play a role in an amended information privacy framework.

* Cavoukian et al. also imply that I said privacy impedes innovation. By now you may already suspect the truth: Yes, I never said anything like that either. I, too, believe that privacy can be a force for innovation.

In fact, my view is even more principled than Cavoukian’s et al.: I believe that even if privacy would impede innovation, this should not be a reason to disregard privacy.

The focus in my speech was not information privacy as a value, but the mechanisms we currently employ to protect our privacy. My argument was—and is—that the core mechanism currently used to protect information privacy, namely consent at the time of collection, has in practice not been effective in protecting our privacy. The most recent revelations of Target losing personal data of 70 million customers just underscore my point: None of these 70 million people were protected because they had consented once when signing up for a Target account.

In fact, my suggestion and that of the whitepapers I have co-authored to focus on effective accountability of data users is much closer aligned than "consent at collection" with Cavoukian’s own well regarded work on privacy by design and the need to build privacy deep into the tools we use. (If this needs any more reinforcement, I did write an entire book on the need to build more ‘forgetting’ into our digital memory tools.)

In summary, Cavoukian and her colleagues repeatedly misrepresent what I said throughout their blog post. The truth is that our views are far, far closer than they suggest when it comes to the importance of privacy as a fundamental human value, and the need for effective and trustworthy mechanisms to protect privacy.

The important debate to be had is how to best achieve effective and robust information privacy while acknowledging the value of information use. My hope—and the reason for this clarifying post—is that we can focus precisely on this debate: Thinking hard about the best ways to improve the mechanisms we use to protect our privacy.

Will you join?

Written By

Viktor Mayer-Schonberger

10 Comments

If you want to comment on this post, you need to login

Christopher Wolf• Jan 15, 2014

At the Silicon Flatirons conference this week, I plan to build on your thesis Viktor with respect to measuring and preventing privacy harms through use analysis since notice and choice by definition limited the scope of harms being avoided.

R. Jason Cronk• Jan 15, 2014

Unfortunately, Viktor uses a linguistic trick to try to convince the reader that his position is pro-privacy. However, the astute reader need not be fooled. What Viktor is describing in his talk is, as the title makes clear, "data protection" not privacy. Data protection is the realm of the benevolent steward who safeguards people's personal information. Privacy, in contrast, is the notion that one may dictate (to some degree) the dividing line between the individual and society. Without such personal decision making then there is NO privacy only social control, benevolent or not.
Redefining privacy to exclude conscious consent is not an option.

Christopher Vera• Jan 15, 2014

(my comments are my own and do not necessarily represent that of my employer).
Thanks to the Privacy Association for giving Professor Mayer-Schönberger the opportunity to clarify his views. Privacy is already a confusing enough topic to the layperson so it is important for us to ensure we have such clarity. My only pet peeve is with the use of the term "information privacy." Information has no privacy, could care less about its privacy. COntinuing to refer to privacy as "information" or "data" privacy muddies the waters between privacy and security, which is concerned more with confidentiality than with true privacy.

Viktor Mayer-Schönberger• Jan 16, 2014

Mr Cronk is obviously confused about the principle concepts in our domain. "Data protection" is the term used for what in the North American context often is referred to as information privacy, and while nuances exist (and I have written academic articles about it), neither I nor most others in this discussion make any difference between "data protection" and "information privacy". He is simply beating a dead horse.
To Mr Vera: I appreciate your concern. I did neither coin the term information privacy, nor am I particularly happy about it. But it has come to be used to differentiate informational privacy from physical privacy. Would you prefer the term "information privacy" over the sloppier "information privacy" (btw a similar issue arises with the term "data protection" - as it is not data but the data subject that is afforded protection).

Terminology is always a bit of an issue in this field, but please let's not get bogged down in a trivial matter when the future of privacy (including within that data protection) is at stake. My interpretation of the point made by Viktor is that since we are no longer able to control the uses made of our information by others, the protection of our privacy (or our data) mainly needs to come from something else. This is an argument with which I concur in the book 'The Future of Privacy' and my suggested policy alternatives are a combination of greater incentives for the deployment of privacy practices, the passive empowerment of individuals by giving part of the value of the data back to people, and a range of practical measures to do with transparency, anonymisation, individuals' rights, security by default and privacy-risk assessments.

Gabriela Zanfir• Jan 16, 2014

I absolutely agree on every point you made. I have already argued in the paper I presented at CPDP 2013 in Brussels (Forgetting about consent. Why the focus should be on suitable safeguards in data protection law, published in "Reloading Data Protection") that instead of mystifying consent in data protection and instead of perpetually looking for solutions to make consent rules clearer and stronger, legislators - analysts - scholars must concentrate on other safeguards which are undoubtedly more suitable to protect the object of the right to personal data protection. My proposition (which, of course, can be improved, as it was coined exclusively from the point of view of EU data protection law) was to consider 1. the rights of the data subject (access rights, erasure rights etc), 2. rules regarding purpose limitation and 3. accountability rules the main three "prerogatives" or "derived prerogatives" to achieve personal data protection. I also pointed out that I am not pleading in favor of completely disregarding consent, as consent and, generally, choice are important in the conceptualization of informational self determination. I am only arguing that there are more powerful and more effective instruments in data protection law which should be further developed.
I will most certainly follow this debate and your opinions on it, as well as Eduardo's. I really believe this approach is the future in regulating and enforcing data protection/privacy.

Name Rick Klumpenhouwer• Jan 17, 2014

From someone who delivered a presentation titled "Why I Hate Consent" (a riffing on Will Ferguson's "Why I Hate Canadians") back in 2008, it is no surprise that I would agree with Mr. Mayer-Schonberger's general thesis that individual consent is fast becoming an ineffective tool for protecting individual privacy. At the same time, I still believe that consumer participation in how they submit personal information and what happens to it once it is submitted is extremely important and if anything, needs to be enhanced. In a massively networked, complex information environment, individuals are more gamed that informed by the consent process. A series of symbols or quick data on specific services or companies, much like nutritional information on food products, is one kind of example that uses effective communication rather than a legal contract relationship to encourage participation. Providing good and useful information about information, for both regulators and citizens, will determine the outcome of any real battle for individual privacy on the ground. This, in my mind, is what Information Governance is all about.
In any case, great to see this discussion taking root.

Peter Westerhof• Jan 18, 2014

The devil as always is in the details. Therefore anyone, academic or not, should be know that obfuscating definitions is the root cause for poor discussions and poor politics.
Suggesting ignorance with the other party, or coining a 'North American context for privacy' does not help much either.

Jason Cronk • Jan 22, 2014

VMS: 'neither I nor most others in this discussion make any difference between “data protection” and “information privacy”.'
That's the problem. There is a world of difference and your failure to recognize it does not excuse your manipulate the argument by interchanging them. Alan Westin seminal definition of information privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" certainly predates your data protection = information privacy confusion, even if shared by others. Simply put, the notion of privacy includes individual participation, not pure paternalism. If you want to talk about a data protection regime, then talk about "data protection", don't call it privacy, because it isn't that.
Eduardo, I'm sure as a lawyer you can appreciate of the importance of terminology. I often time run into two parties which are miscommunicating because they are using terminology different. Further my intention in responding was to reduce the attempted watering down of the word. Continue misuse only perpetuates the idea that information privacy equates to data protection.
“But if thought corrupts language, language can also corrupt thought.” -George Orwell

Related

In the third installment of this series looking at monitoring programs across industries, including healthcare, IT, finance, government and telecom, Deidre Rodriguez, CIPP/US, talks with JC Cannon, CIPP/US, CIPT, about monitoring a privacy program in the IT industry. "Having comprehensive rules, training and procedures in place are not as important during an audit as being able to prove that they are working," Cannon says. Cannon provides tips for those developing monitoring programs and highlig...
Read more

The Federal Communications Commission (FCC) is poised to craft new rules that could limit broadband providers’ ability to share information about users’ web activity with advertisers, MediaPost reports. The FCC’s Wireline Competition and Consumer & Governmental Affairs Bureaus will convene a workshop on the privacy rights of broadband users on April 28 in Washington, DC. The FCC said the 2015 Open Internet Order applies Section 222 of the Communications Act to broadband carriers, and has not...
Read more

According to the Network Advertising Initiative (NAI) annual compliance report released Monday, all 92 of its members “substantially complied” with the NAI’s consumer privacy code in 2014, KatyontheHill reports. The code requires ad networks to post data collection and retention practices and give consumers the option to opt out of tracking. The NAI says the minor code violations were unintentional and were “resolved quickly.” The ad network industry considers self-regulatory programs like this ...
Read more

One of the great paradoxes of the Internet is how to ensure user anonymity online while also providing the personalized services many users want. One cryptographer, however, has proposed a solution to help solve this paradox. In this post for Privacy Tech, IBM Research’s Jan Camenisch, principal research staff member and leader of the Privacy & Cryptography Research Team, discusses the inspiration behind Identity Mixer and the ways in which it can protect users’ identities while connecting t...
Read more

"How, I regularly find myself asking, can I help my client side-step a privacy issue?" writes Matthew Lawless in this exclusive for The Privacy Advisor. "Time and again I return to two answers: avoid or outsource." In this feature, Lawless discusses the practical realities of advising a tech start-up on privacy. And, he explains, the real challenge in advising start-ups is not “the intricacy of the legal issues” or even the technology itself. Instead, Lawless writes, “it is the fact that start-u...
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.